How can we deal with the concept phase in the functional safety standard for automobiles. Nil Software Corp. Masao Ito

Transcription

1 How can we deal with the concept phase in the functional safety standard for automobiles Nil Software Corp. Masao Ito

2 Useless concept phase?! (Su-ri-awa-se) People in the automobile field always say that there is no chance to develop an item from scratch. Because currently the most important activity is Su-ri-awa-se (closely coordination). And they sometimes set aside the importance of the concept phase. But, I think we will have to think the new systems in the future automated driving car. In that time, I believe we need the coherent approach for establishing safety in the new car.

3 Example I use CACC as an example to explain our approach CACC is an enhancement of ACC that enables more accurate gap control and operations at smaller gaps by adding communication using the forward vehicle information. In this type, we use the LIDAR for recognition of the target car communication (image) recognition clearance Simple image of CACC (it has two mechanism to get the forward car information) CACC: Cooperative Adaptive Cruise Control

4 Concept phase? Part 3 of ISO is for the concept phase. This phase has four sub-phases: Item definition Initiation of software lifecycle Hazard analysis and risk assessment (HARA) Functional safety concept

5 Where is the Concept Phase? It is the first phase in the development process from item definition (3-5) to functional safety concept (3-8) 2-5 to 2-7 Management of functional safety 3-5 Item definition Here Initiation of the safety lifecycle Hazard analysis and risk assessment Functional safety concept Concept phase 7-6 Operation planning 7-5 Production planning 4 Product development: system level 5 HW 6 SW level level 4-9 Safety validation Allocation to other technologies Controllability External measures Product development 4-10 Functional safety (ISO Part 2 Figure 2)

6 five issues Item? Safety activity and other development activity Finding Hazards How to calculate the controllability for ASIL Several times

7 item? The item is not a system. It is an abstract object, and a system is generated from the item. e.g. The auto-cruise control system is an item The ACC in the toyota camry is a system As for system, we have many analyzing method. But I think there is no good approach of the item. ISO Part 10 Fig. 3

8 Item Sketch We use the item sketch to represent the static and dynamic model of an item As the static representation, we use the type model of catalysis (, but uml class model is enough in this phase) As the dynamic model, we can use the statechart as a finite state machine TypeCACCSimpleRecognition ForwardCar Recognise by LIDAR Recognise by Comm. 1 1 SelfCar 1 LIDAR Comm. Device Example of static item sketch

9 Item Sketch Curuise Control ON CACC_Control in the broad sense CACC_Control in the broad sense CACC CACC [ TargetNOTRecognizedByImage ] edbyuser ] CC_ON [ CACCselectedByUser ] TargetIdentified StandBy TargetIdentified [ TargetNOTRecognizedByIm CCC Cruise Control OFF StandBy StandBy TargetLost Cancel / Transition NoIdentifiedCars [ AfterTmsec ] / Transition CACC StandBy CCC CC_OFF ACC_CCC_Breakdown [ ACCselectedByUser ] TargetLost Cancel / Transition NoIdentifiedCars [ AfterTmsec ] / Transition CACC CACC_breakdown / Transition ACC TargetIdentified StandBy ACC [ SatisfiedSpeedCondition ] UserInteraction Cancel / Transition CCC Control StandBy [ SatisfiedSp dbyuser ] TargetLost Cancel / Transition NoIdentifiedCars [ AfterTmsec ] / Transition CACC_breakdown / Transition ACC UserInteraction Cancel / Tra [ TargetNOTRecognizedByImage ] CCC Co

10 five issues Item? Item sketch (static & dynamic model) Safety activity and other development activity Finding Hazards How to calculate the controllability for ASIL Several times

11 Safety activity and other development activity No separation ISO is the standard for functional safety. We would like to locate it in the whole development process, because in the early phase (i.e. concept phase) it is hard to divide it into the development and safety activity Solution: Goal Model To consolidate the requirements in the abstract level, we use the KAOS approach (Obstacle node is a candidate of hazard)

12 Goal model The goal of an item is the top goal. We decompose it into the subgoals. We can also write the non-functional requirement, for example, as a soft goal Keep safe distance with inter-vehicle communication LIDAR may be used also in ACC system Continuously identify the forward car This calculation will be done aside from ACC and CC calculation Calculate the driving (braking) force Arbitrate t other syst Recognise the forward car by LIDAR Communicate with other cars Make final identification of forward car using LIDAR and comm. Calculate the speed of self car Calculate the relative speed using info from... Ca dri for Find cars that self car can communicate with Maintain communication with forward car example of goal modeling by goal decomposition

13 five issues Item? Item sketch (static & dynamic model) Safety activity in the whole development process Use goal model Finding Hazards How to calculate the controllability for ASIL Several times

14 Finding Hazards The item is an abstract object and it is not a system So, It is hard to use the conventional method (such as FTA). Here! Item Function realization Sytem Not in concept phase Component HW-Part SW-Unit

15 Finding Hazards We use the description of a goal, it is compromising semi-formal approach Because, In concept phase, it is hard to describe the formal model But, the graphical representation of item sketch (UML and specification type) help us to think correctly. If sentence consist of <Subject> <Verb> <Object>, we can write: e.g. The subject car can recognize the car ahead by LIDAR. Insert the guide word (of HAZOP) or change the predicate/object. e.g. The subject car can NOT recognize the car ahead by LIDAR Subject Predicate Object the object is also the candidate object in the static item sketch

16 Finding Hazards Use sentence in the goal node Apply the what-if question to the goal node e.g.: recognize the forward car (system) does NOT recognize the forward car (system) is LATE to recognize the forward car recognize the forward car normally recognize the... [NOT] does NOT recognise... [LATE] LATE to recognise... Goal VS. Obstacle

17 Finding Hazards Another method: item sketch is helpful to apply the what-if type question ForwardCar Change Cardinality Keep time gap Speed Time gap CalSpeed() SelfCar ModifySetSpeed() ModifyTimeGap() Change Attribute Change Action Relativity Change Responsibility Controller warning status BrakeCtrl() EngineCtrl()

18 SSM Situation-Scenario Matrix We can express the usage of an item by the scenario and the situation. Example: CACC Road type Structure on the road Neighboring car Degree of jam Climate visibility Non-automobile perimeter objects Regulation

19 SSM Example A Scenario Situations situation category situation attribute An Example SSM of CACC

20 five issues Item? Item sketch (static & dynamic model) Safety activity in the whole development process Use goal model Finding Hazards guide words, Situation-Scenario Matrix (SSM) How to calculate the controllability for ASIL Several times

21 ASIL and Controllability We need three factors to calculate ASIL CACC Scenario In highway, (AND) driving at high velocity in CACC mode B It comes from SSM Malfunction Identified, but there are differences in both information. If this situation continues, controller may indicate the wrong time gap. from Obstacle Severity Exposure Controllability It may lead to crash with the forward car in larger velocity than expected E3: Highway E4: High velocity If driver notices the wrong behavior of CACC, he can put on the brake and he can escape from the CACC control. ASIL definition of an item S3 E3 C2 21

22 Controllability Controllability is the ability to avoid a specified harm or damage through the timely reactions of the persons involved, possibly with support from external measures (ISO ) How to calculate?

23 Big Picture with driver and environment model DESH-G schema covers the environment, driver and goal as well as hardware and software. E S Software & G Goal Hardware Environment Scenario H factors (road, traffic, weather...) Activity Action Operation driver skill driver state Driver D Activity Action Operation ACTV A ACTV A TASK_A TASK_A TASK_B TASK_B OP_A1 OP_A1 OP_A2 OP_A2 OP_B1 OP_B1 OP_B2 OP_B2 OP_B3 OP_B3 OP_B4 OP_B4 23

24 Driving Difficulty DD Driving Difficulty (DD) is given by the difference between the value of Driver Capability (DC) and the value of the Task Demand (TD) to achieve the driver goal. f safe (dc,td,c th ) = f (dc,td) - c mrg th 0 f mrg (dc,td) = dc -td INV : dc > td when f safe c th when f safe < c th TD DC dc : DC (Driver Capability) 1/fsafe td : TD (Task Demand) c th : threshold Cth Safe Danger 24

25 Safety vs Harm System Limit Task Demand Driver Capability Hazardous event occurred Task t = t n Task t = t n+1 D-zone Driver t = t m+1 Driver t = t m break point for accident degradation of driver capability Variation of Individuals

26 five issues Item? Item sketch (static & dynamic model) Safety activity in the whole development process Use goal model Finding Hazards Guide words, Situation-Scenario Matrix (SSM) How to calculate controllability for ASIL Driver model, SSM Several times

27 Several times Functional Safety Requirement (FSR) has followings: a) operating modes b) fault tolerant time interval (FTTI) c) safe states d) emergency operation interval, and e) functional redundancies (e.g. fault tolerance) (2) (2) (1) Points: (1)Abstract Functional Safety Mechanism (2)Flow Analysis and error description by AADL

28 FTTI & Emergency Operation Interval Fault and Transition Fault Fault Detection Transitioned to Safe State Possible Hazard Normal Operation (Safe State) Time T <= Diagnostic Test Fault Reaction Time Interval Emergency Operation Interval Fault Torelant Time Interval FTTI Fault reaction time and fault tolerant time interval (ISO Fig.4)

29 Abstract Functional Safety Mechanism

30 Generic initial architecture w/ safety mechnism For functional redundancy, we have to several checker/verifier for the target controller Refined Controller acontroller Output Input Compose of three check blocks Input Checker Runtime Checker (Fault Detection) Transit to safe state Output Checker Error

31 Initial Architecture system implementation comp0.i subcomponents c : system pcontroller {ISO26262::ASIL => LEVEL_B;}; i : system pfsminp.i; s : system pfsmcre.i; o : system pfsmout.i; connections c0 : port i.p_out > s.p_in; c1 : port s.p_out > o.p_in; ce : port o.p_err > p_err; annex EMV2 {** use types errorlibrary; use behavior NILErrorModelLibrary::Basic_behave; state transition composite error behavior states [o.failed] >failed; end composite; **}; end comp0.i; Implementation part ISO property set Three checkers in/out Use error annex Error relating behavior

32 Describing estimated latency system pfsminp features p_in : in event data port; p_out : out event data port; flows fll0 : flow path p_in > p_out { latency => 1 Ms.. 4 Ms; }; Flow path p_in p_out Input Checker (pfsminp) Describe estimated Latency in the flow path

33 Calculation of FTTI To calculate FTTI we need the various flow paths Refined Controller acontroller Input Checker Output Checker Runtime Checker Fault Detection)(Transit to Safe State)

34 five issues Item? Item sketch (static & dynamic model) Safety activity in the whole development process Use goal model Finding Hazards Guide words, Situation-Scenario Matrix (SSM) How to calculate controllability for ASIL Driver model, SSM Several times AADL and flow model

35 Conclusion To support the concept phase of ISO 26262, we propose the practical approach. This is manly based on the goal model and we add new features. Item Sketch Scenario-Situation Matrix (SSM) Driver Model General functional safety mechanism

36 Summarize by goal model (Sub-)Goal Safety Activity Obstacle FR: Functional Requirement FRS: Functional Safety Requirement FR Safety Mechanism FSR Development and Safety Activity by the KAOS Goal model 36